CVE-2015-2792

WPML < 3.1.8 - Unauthenticated Arbitrary Action Execution via Multiple Action Parameters

Title source: llm
STIX 2.1

Description

The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.

References (4)

Core 4
Core References
Exploit x_refsource_misc
http://klikki.fi/adv/wpml.html
Vendor Advisory x_refsource_confirm
http://wpml.org/2015/03/wpml-security-update-bug-and-fix/
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Mar/79

Scores

EPSS 0.0380
EPSS Percentile 88.7%

Details

CWE
CWE-284
Status published
Products (1)
wpml/wpml < 3.1.8
Published Mar 30, 2015
Tracked Since Feb 18, 2026